NVIDIA BioNeMo Framework Deserialization of Untrusted Data Enables Remote Code Execution (CVE-2026-24164)

At a glance

• The issue: NVIDIA's BioNeMo biomedical-AI framework deserialises untrusted data, which can give a remote attacker code execution. NVD rates it CVSS 9.8 critical.
• Who's affected: Anyone running BioNeMo Framework from source or from NGC container images built before 2026-01-21.
• What to do now: Pull the BioNeMo repo at commit e5e58c8 or later, and rebuild any NGC images from that commit.

Executive Summary

NVIDIA BioNeMo Framework, NVIDIA's open-source biomedical-AI framework, distributed both as source in the public github.com/NVIDIA/bionemo-framework repository and as pre-built images in the NVIDIA NGC container registry, contains a deserialisation-of-untrusted-data vulnerability tracked as CVE-2026-24164, disclosed via NVIDIA Security Bulletin a_id/5808 and published on NVD (vulnStatus Analyzed, published 2026-03-31, lastModified 2026-04-03) with a CWE-502 mapping. NVD's Primary CVSS 3.1 is 9.8 CRITICAL (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, source nvd@nist.gov) while NVIDIA's CNA Secondary CVSS 3.1 is 8.8 HIGH (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H, source NVIDIA PSIRT), a deliberate UI:N vs UI:R divergence discussed below. NVD records an affected CPE with versionEndExcluding: 2026-01-21. Per NVD's verbatim description, a successful exploit "might lead to code execution, denial of service, information disclosure, and data tampering." The vendor remediation per Bulletin a_id/5808 is to "clone or update" BioNeMo to include commit e5e58c8 or later from the NVIDIA/bionemo-framework GitHub repository; NGC image rebuilds that incorporate that commit are the downstream delivery path.

Risk Rating

CVSS Divergence

The NVD Primary and NVIDIA CNA Secondary differ on exactly one metric: UI:N (NVD Primary) versus UI:R (NVIDIA CNA Secondary). Every other metric in the two CVSS 3.1 vectors is identical (AV:N/AC:L/PR:N, S:U, C:H/I:H/A:H).

• NVD CVSS 3.1 Primary: 9.8 CRITICAL, vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, source nvd@nist.gov
• NVIDIA CNA CVSS 3.1 Secondary: 8.8 HIGH, vector AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H, source NVIDIA PSIRT

RAXE inference: NVIDIA's CNA UI:R reflects a malicious-artefact load prerequisite, the vulnerable deserialisation code path is reached when an operator or workflow loads attacker-controlled serialised data into BioNeMo; NVD's UI:N is the conservative reading in which the deserialisation path is treated as reachable without active user involvement. Neither NVIDIA's advisory nor NVD's record explicitly states which load path motivated each vector. Per RAXE publication convention, the NVD Primary 9.8 CRITICAL is used as the headline severity; defenders modelling operational exploitability should read NVIDIA's 8.8 HIGH as the more mechanism-aware score. Both readings are defensible given the sparse public advisory text.

Affected Products

Fix distribution medium: BioNeMo Framework is an open-source project at github.com/NVIDIA/bionemo-framework. Per NVIDIA Security Bulletin a_id/5808 the vendor remediation is to "clone or update this software to include commit e5e58c8 or later" from that repository. NVIDIA also distributes BioNeMo as pre-built images on the NVIDIA NGC container registry; NGC images built from a commit earlier than e5e58c8 remain affected until rebuilt. The CVE is not tracked on PyPI or npm, BioNeMo is not a Python package, so defenders should drive inventory from Git commit SHA (for self-built deployments) and NGC image digest (for vendor-built deployments) rather than from PyPI / npm SBOM signals.

Am I affected?

• Do you run BioNeMo? Check GPU workloads, biomedical-AI training or inference pipelines, protein language model work, molecular property prediction, and genomics workflows for use of the BioNeMo framework. NGC image names typically contain bionemo or nemo.
• Git commit SHA (self-built) or NGC image digest (vendor-built): for self-built BioNeMo deployments, compare the checked-out commit SHA against e5e58c8 on github.com/NVIDIA/bionemo-framework; for NGC-image deployments, record the current image digest and verify that the vendor image is built from a branch including e5e58c8. NVIDIA's bulletin does not publish a fixed image tag or digest. PyPI / npm SBOM tooling will not surface this exposure because BioNeMo is not a Python package.
• Serialised-data sources: inventory attacker-influenceable serialised inputs loaded into BioNeMo pipelines, especially pickle/webdatamodule conversion inputs. Broader checkpoint and model-artefact monitoring remains useful CWE-502 hunting, but NVIDIA's public bulletin does not identify tokenisers, safetensors, ONNX, or a specific checkpoint loader as the affected path.

Abstract

CVE-2026-24164 is a CWE-502 Deserialization-of-Untrusted-Data vulnerability in NVIDIA BioNeMo, NVIDIA's biomedical-AI framework for protein language modelling, molecular property prediction, and genomics-oriented training and inference. The vulnerability was disclosed by NVIDIA via Security Bulletin a_id/5808 and published on NVD on 2026-03-31 with Analyzed status reached on 2026-04-03. NVD records CVSS 3.1 Primary 9.8 CRITICAL with an NVD Primary CWE mapping of CWE-502 (per NVD's published metadata, adopted from the NVIDIA PSIRT's CNA submission, which is the standard CNA-to-NVD pattern). NVIDIA's CNA Secondary CVSS 3.1 is 8.8 HIGH, identical to the NVD vector except for UI:R versus UI:N. NVIDIA's public advisory is terse, it does not enumerate the vulnerable API, the affected file or code path, the specific serialisation format, or the precise fix mechanism; it does publish a commit-based affected/fixed condition.

RAXE has not audited the BioNeMo source tree and this draft does not invent mechanical details beyond what NVD and the vendor publish. BioNeMo is distributed as source on github.com/NVIDIA/bionemo-framework and as pre-built images on the NVIDIA NGC container registry, it is not a PyPI or npm package, so conventional Python-SBOM tooling does not surface this CVE, but the GitHub repository is public and fix tracking can be driven from the repository commit graph. The vendor remediation per Bulletin a_id/5808 is commit e5e58c8 on the upstream repository; NVD records an affected-CPE bound of versionEndExcluding: 2026-01-21.

Key Findings

1. CWE-502 in a vendor-distributed ML framework. The root cause class is Deserialization of Untrusted Data (CWE-502), recorded as Primary from the NVIDIA PSIRT and adopted by NVD in its published metadata. CWE-502 in any framework that ingests untrusted serialised artefacts is a textbook AI-supply-chain vulnerability; RAXE maps it to MITRE ATLAS AML.T0010 (AI Supply Chain Compromise) as a RAXE assessment, neither NVIDIA nor NVD asserts an ATLAS mapping in this advisory, and the mapping here is RAXE inference from the CWE class plus the trusted-artefact-ingestion attack shape.

2. Sparse advisory is the dominant limitation. NVIDIA Security Bulletin a_id/5808 does not name the vulnerable API, the affected code path, the serialisation library, or the fix mechanism beyond the fixed commit. It does state that affected versions are BioNeMo Framework builds/branches that do not include commit e5e58c8; NVD represents the affected CPE with versionEndExcluding: 2026-01-21. NVD's description is a single sentence covering impact; it does not expand on mechanism. Any technical content in this draft that goes beyond the verbatim NVD description or the NVIDIA advisory text is explicitly labelled RAXE assessment bounded by CWE-502 semantics.

3. CVSS UI divergence reflects a reading, not a disagreement. NVD Primary (UI:N, 9.8) and NVIDIA CNA Secondary (UI:R, 8.8) agree on every other metric. RAXE inference is that NVIDIA's UI:R reflects a user/workflow loading attacker-controlled serialised data to reach the vulnerable deserialisation path, while NVD's UI:N takes the conservative reading. The 1.0-point severity delta is real but both scores are internally consistent; defenders should read both together.

4. Vendor-distributed framework with dual delivery channel. BioNeMo is open-source on github.com/NVIDIA/bionemo-framework and vendor-packaged in the NVIDIA NGC container registry, the fix is a Git commit (e5e58c8) that customers apply by cloning/updating from the repository or by pulling an updated NGC image built from that commit. This is the first RAXE finding where the canonical fix identifier is a Git commit SHA rather than a PyPI/npm version number; defender inventory tooling must support Git commit comparison or NGC image-digest comparison in addition to Python-SBOM signals. RAXE's affected_packages metadata is deliberately empty because there is no PyPI or npm artefact to pin.

5. Low observed exploitation signal. FIRST.org EPSS records 0.00074 (22.4th percentile) as of 2026-04-23. The CVE is not on the CISA KEV list as of 2026-04-24, and RAXE has not observed a public proof-of-concept, weaponised exploit, or in-the-wild activity targeting this CVE as of publication. EPSS is a poor proxy for targeted risk in concentrated specialist populations such as biomedical-AI research groups.

Attack Flow

NVIDIA's public advisory does not describe a multi-step attack kill chain, and RAXE does not invent one. The supportable framing, bounded by CWE-502 semantics, is a single-step primitive:

Attacker -> publishes, hosts, or substitutes a serialised
            pickle/webdatamodule input or other
            BioNeMo-ingestible serialised file) through a delivery
            channel that a BioNeMo operator trusts
            (public model hub, collaborator upload,
            intermediate training artefact).

Operator -> loads the attacker-controlled artefact into a
            BioNeMo container running a version prior to
            NVIDIA's fix per Bulletin a_id/5808.

BioNeMo  -> deserialises the untrusted artefact via a
            code path NVIDIA has not publicly identified.

Outcome  -> per NVD verbatim: "code execution, denial of
            service, information disclosure, and data
            tampering."

The diagram above is bounded entirely by the CWE-502 class and the NVD verbatim impact statement. RAXE does not name APIs, file paths, or payload formats that NVIDIA has not disclosed.

Technical Details

Vulnerability mechanics (bounded by source material)

NVD's description, verbatim: "NVIDIA BioNeMo contains a vulnerability where a user could cause a deserialization of untrusted data. A successful exploit of this vulnerability might lead to code execution, denial of service, information disclosure, and data tampering."

The CWE mapping is CWE-502 Deserialization of Untrusted Data, published as Primary on NVD. Per standard CNA-to-NVD workflow, the CWE classification originates from the NVIDIA PSIRT submission and is adopted by NVD during its analysis; it is not an independent MITRE assignment.

What the advisory does NOT specify

NVIDIA Security Bulletin a_id/5808 does not publish:

• The vulnerable API or entry point
• The affected file, class, or function
• The specific serialisation format in the bulletin/NVD prose. The public fix commit removes a pickle.loads path in BioNeMo's webdatamodule utilities, but the advisory text itself does not publish that implementation detail.
• A semantic version range. NVIDIA instead publishes a commit-based affected/fixed condition: versions/branches that do not include e5e58c8 are affected, and branches including e5e58c8 are updated.
• The fix mechanism beyond the public fixed commit
• A proof-of-concept or reproducer

RAXE has not audited the BioNeMo source tree and does not invent these details. Any statement in this document that extends beyond the NVD verbatim description, the NVIDIA advisory text, or commit e5e58c8's public identifier is explicitly a RAXE assessment bounded by CWE-502 semantics.

CVSS metadata

Attack surface

BioNeMo deployments should treat attacker-controlled serialised artefacts as the exposure surface. The public fix commit points to a pickle/webdatamodule conversion path, while the bulletin/NVD prose does not name a vulnerable API or payload format. Broader checkpoint/model-artefact telemetry remains useful CWE-502 hunting, but should be labelled generic deserialisation-class coverage rather than a CVE-2026-24164-specific IOC unless the local deployment confirms that path.

CPE

NVD publishes the affected CPE as cpe:2.3:a:nvidia:bionemo_framework:*:*:*:*:*:*:*:* with versionEndExcluding: 2026-01-21, BioNeMo Framework source states prior to the 2026-01-21 commit cutoff are affected per NVD's CPE declaration, which aligns with the vendor's stated fix commit e5e58c8.

Confidence & Validation

Assessment Confidence: High (on facts); Bounded (on mechanics)

Detection Signatures

Three Sigma rules are published in the finding directory as detection/bionemo-deserialization.yml. All three are explicitly labelled RAXE-assessment CWE-502 class hunting heuristics and are not CVE-2026-24164-specific IOCs, NVIDIA's advisory does not publish enough prose detail to author CVE-specific detections, and the public fix commit should be used only to tune site-specific pickle/webdatamodule hunting. Deploy as audit-only hunting feeds, not as blocking detections, and tune the per-site path and endpoint allowlists before enabling. The three rules are independent detections, not a sequenced chain. Rule 1 has the highest false-positive potential of the three and will require the most per-site allowlist tuning, because most production BioNeMo deployments use site-specific mount points that fall outside the rule's default allowlist.

1. BioNeMo Worker Reading Serialised Artefact From Non-Standard Path (CWE-502 Hunting), level medium. File-event rule for BioNeMo Python workers opening serialised-object formats such as .pkl / .pickle, plus broader model/checkpoint extensions when teams choose generic CWE-502 hunting coverage, outside the deployment's typical artefact directories. A proxy for "worker is loading an attacker-planted artefact". Per-site known-good path allowlist must be tuned.

2. BioNeMo Python Worker Spawning Non-Baseline Subprocess (CWE-502 Post-Exploitation Hunting), level high. Process-creation rule for BioNeMo Python workers whose children are outside the baseline set (CUDA utilities, nvidia-smi, Python multiprocessing helpers, standard shells). Treats unexpected subprocess creation as post-exploitation evidence for the CWE-502 class.

3. BioNeMo Python Worker Unexpected Outbound Connection During Model Load (CWE-502 Exfiltration Hunting), level medium. Network-connection rule correlating BioNeMo Python workers with outbound connections to endpoints outside the expected NGC, Hugging Face, and object-storage allowlist plus RFC1918 ranges. Tune the endpoint allowlist per site; internal model registries must be added.

Detection & Mitigation

Priority 1, apply the vendor fix per NVIDIA Security Bulletin a_id/5808. The Bulletin specifies commit e5e58c8 on github.com/NVIDIA/bionemo-framework as the fix. Self-built deployments: git pull the upstream repository to include that commit or later. Vendor-built deployments: pull an NGC image rebuilt from that commit and confirm the image digest.

Priority 2, inventory BioNeMo across the organisation. For self-built deployments, record the checked-out commit SHA. For NGC-based deployments, record the image digest and publication timestamp. PyPI / npm advisory streams do not surface this CVE because BioNeMo is not a Python package.

Priority 3, deploy the three hunting Sigma rules with per-site tuning. Treat them as audit-only CWE-502 class hunting feeds until the vendor fix is confirmed applied across affected deployments. False-positive rates will depend heavily on local path conventions and endpoint allowlists; the publishable rules ship with illustrative defaults that must be customised.

Priority 4, build GitHub-commit / NGC-digest inventory workflows for AI-platform frameworks. Because BioNeMo (like many vendor ML frameworks) is not on PyPI or npm, conventional Python-SBOM tooling does not cover it. Inventory can be driven by Git commit SHA comparison against the vendor's fix commit and by NGC image-pull telemetry. Biomedical-AI, drug discovery, genomics, and protein language modelling workloads are the concentration points.

Priority 5, audit past serialised-artefact load activity on pre-fix deployments. Retrospective review of file-event and process-creation telemetry against the three Sigma hunting heuristics can surface historical loads of untrusted artefacts. Prioritise pickle/webdatamodule inputs and require provenance or hash verification on serialised artefacts loaded into BioNeMo pipelines until containers have been patched.

Indicators of Compromise

No file-hash or network-indicator IOCs are available; NVIDIA's advisory does not publish attacker infrastructure or payload hashes, and RAXE has not observed public exploitation.

Strategic Context

This is the first NVIDIA AI-platform finding in RAXE's 2026 corpus. RAXE's historical coverage has concentrated on open-source agentic frameworks (LangChain, PraisonAI, LiteLLM, Flowise, smolagents, CrewAI) distributed through PyPI and npm. CVE-2026-24164 is distinctive on two axes:

• Vendor-distributed framework with dual delivery channel. BioNeMo is open-source on GitHub (github.com/NVIDIA/bionemo-framework) and also distributed as NGC container images. The vendor's stated fix identifier is a Git commit (e5e58c8) rather than a PyPI / npm version number. Defender workflows built around Python-SBOM tooling do not automatically surface this CVE; inventory for BioNeMo and similar vendor ML frameworks requires Git commit comparison or NGC image-digest comparison.
• Concentrated, specialised deployment footprint. BioNeMo's user base is biotech, pharmaceutical R&D, contract research organisations, and academic bioinformatics laboratories, a narrower and more specialist population than the broad enterprise-AI population that consumes LangChain or LiteLLM. This limits the CVE's enterprise blast radius but raises the stakes in the populations where it does apply.

For RAXE's forward-looking corpus, this finding is a coverage-expansion opportunity rather than a breakthrough. The AI-supply-chain threat surface, which RAXE has primarily documented at the level of open-source Python packages, also exists at the level of GPU-vendor container ecosystems, with the additional complication that conventional SBOM tooling does not cover it. The second and third NVIDIA AI-platform findings will be more informative than this first one; baseline data for NVIDIA's disclosure cadence, advisory-depth norms, and CNA-vs-NVD scoring behaviour will only emerge once several advisories have been observed.

The practical posture for enterprise defenders with biomedical-AI workloads: subscribe to NVIDIA PSIRT's advisory stream, treat Git commit SHA and NGC image-digest enumeration as part of AI-platform inventory, and extend CWE-502-class hunting content to cover vendor-distributed ML frameworks alongside the open-source Python corpus. The detection class, "untrusted serialised artefact ingested by a training or inference runtime", generalises across distribution channels; the monitoring tooling has to follow.

References

1. NVD, CVE-2026-24164, https://nvd.nist.gov/vuln/detail/CVE-2026-24164 (accessed 2026-04-24; vulnStatus Analyzed; published 2026-03-31; lastModified 2026-04-03; CVSS 3.1 Primary 9.8 CRITICAL AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H; CWE-502 Primary; source nvd@nist.gov).
2. NVIDIA Security Bulletin, a_id/5808, https://nvidia.custhelp.com/app/answers/detail/a_id/5808 (accessed 2026-04-24; vendor advisory for CVE-2026-24164 BioNeMo deserialisation RCE; CNA CVSS 3.1 Secondary 8.8 HIGH AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).
3. CVE.org, CVE-2026-24164, https://www.cve.org/CVERecord?id=CVE-2026-24164 (accessed 2026-04-24; canonical CVE record).
4. FIRST.org EPSS, CVE-2026-24164, https://api.first.org/data/v1/epss?cve=CVE-2026-24164 (accessed 2026-04-23; 0.00074 / 22.4th percentile; no exploitation activity detected).
5. MITRE ATLAS, AML.T0010 AI Supply Chain Compromise, RAXE's local ATLAS lookup table confirms the identifier. The canonical MITRE ATLAS web URL at https://atlas.mitre.org/techniques/AML.T0010 returned HTTP 404 when accessed 2026-04-24; MITRE may have reorganised the ATLAS site since the local lookup table was last refreshed. Technique is listed by identifier only until the canonical URL is re-established.